b'                  FEDERAL COMMUNICATIONS COMMISSION\n                      OFFICE OF INSPECTOR GENERAL\n\n                                    MEMORANDUM\n\n\n   DATE:       October 21, 1999\n\nREPLY TO\nATTN OF: Inspector General\n\nSUBJECT:       Business Continuity and Contingency Planning\n\n       TO:     Chairman\n\n\nOn August 16, 1999, the Office of Inspector General (OIG) issued the "Audit of the FCC\nYear 2000 Program.\xe2\x80\x9d In my cover transmittal to that report, I advised you that the OIG\nwould continue to monitor and support the internal efforts being undertaken by the\nCommission to address the potential Year 2000 problem. This Special Report focuses\nupon our findings to date in the critical area of Business Continuity and Contingency\nPlanning (BCCP). In the attached report we note that the Commission does not have\ndocumented assurance that in the event of a disruption to the Commission\'s infrastructure\nmany mission critical functions could perform in an unimpeded manner.\n\nOverall, the Commission\'s BCCP program was initiated in a late manner and has\nexperienced significant delays since inception. The Chief Information Officer (CIO)\nattributed this condition to delays in obtaining requisite funding and competing priorities\nsuch as thc move of the Commission to the Portals facility. This consolidation .of\nCommission personnel and related workstations and servers placed a heavy burden on\nnetwork personnel.\n\nThe majority of plans for operational continuity in the case of a disruption for identified\nmission critical systems have not been tested for the Year 2000 event. The OIG\nrecommends that the Commission work aggressively in the limited time frame available\nto focus upon the most critical systems by subjecting them to simulation testing.\n\x0cWe are continuing to perform additional work in this and other areas relating to internal\npreparations for the year 2000 event. I will continue to provide you with pertinent\ninformation generated by this office.\n\n                                         Sincerely,\n\n\n\n\n                                         H. Walker Feaster, III\n                                         Inspector General\n\nAttachment\n\ncc: Commissioner Powell\n    Chief of Staff\n    Managing Director\n\x0c     Special Review Report of the Commission\xe2\x80\x99s Draft Business Continuity and\n                            Contingency Plan (BCCP)\n\n                                EXECUTIVE SUMMARY\n\nThis special review report reflects the results of work performed by the Office of\nInspector General (OIG), as of October 19, 1999, related to our analysis of the status of\nthe Federal Communications Commission (FCC) Business Continuity and Contingency\nPlan (BCCP). A BCCP is a formal plan outlining the specific steps to be instituted in the\nevent of a System failure. Office of Management and Budget (OMB) Circular A-130\nissued February 1996 directs each Federal agency to "establish and periodically test the\ncapability to perform the agency function supported by the application in the event of\nfailure.\xe2\x80\x9d The need for the FCC to have a BCCP for all mission critical systems is\namplified in light of potential disruptions, which may be experienced in connection with\nthe Year 2000 (Y2K) event. OIG auditors have identified that the FCC does not have a\nsufficiently detailed and tested BCCP in place to prepare for an outage of one or more\nmission critical systems (excluding Auctions systems). With approximately eighty (80)\ndays remaining until the Year 2000, the Commission does not have sufficient time to\nfully address this situation. Thus, the OIG recommends that the Commission focus its\nattention upon performing detailed BCCP tests only for those highest in its ranking order.\n\n                                     BACKGROUND\n\nOn August 16, 1999, the OIG issued the "Audit of the FCC Year 2000 Program.\xe2\x80\x9d This\nreport identified a number of deficiencies in the FCC\'s preparations for the Year 2000\nevent. One area of concern was the lack of a BCCP for twenty-nine (29) of thirty (30)\nmission critical systems. Only the spectrum auction system was identified as having a\nBCCP. All other mission critical systems, such as the Universal Licensing System (ULS),\ndid not have a documented and tested BCCP. A complete listing of these Systems is\nprovided as Appendix 1 to this report. Thus, in the event of tire, electrical failure, or other\ndisruption, the Commission lacks assurance that operations in these functional areas\ncould proceed. The aforementioned condition exists in contrast to the requirements\ncontained in OMB Circular A-130.\n\nThe FCC did establish, on April 6, 1999, a Business Continuity Task Force (BCTF)\ncomposed of representatives from the Office of the Managing Director (OMD), the\nInformation Technology Center (ITC), and the Commission\'s Bureaus and Offices. This\ntask force was charged with advising and tracking the progress of the development of a\nBCCP. On June 23,1999, the task force issued the "Year 2000 Business Continuity and\nContingency Plan (BCCP)." This plan contained information on the following:\n\xe2\x80\xa2 Business Continuity Strategy\n\xe2\x80\xa2 Roles and Responsibilities\n\xe2\x80\xa2 Identification of Core Business Areas\n\xe2\x80\xa2 Contingency Plan Testing\n\nThis document met the core requirements contained in OMB Memorandum, Business\n\x0cContinuity and Contingency Planning for the Year 2000, May 13, 1999. What this\ndocument did not address was the BCCPs for Bureau/Office mission critical systems.\nThus, if a mission critical system such as ULS were to fail on January 1,2000, there is no\ndocumented process in place to continue program operations.\n\nThe Commission\'s BCCP identified the core Commission business areas and supporting\ncritical infrastructure, with the associated threats to their continued functioning. The\nBCCP then developed a business impact analysis for each threat and ranked them as to\nseverity. To address and mitigate the risks from these threats, the BBCP required the\nBureaus and Offices to develop and test local contingency plans, which included the\nmission critical systems.1 The deadline for completing the development of local plans\nwas August 15, 1999.\n\nThirteen of the fourteen Bureaus and Offices required to develop a BCCP met the initial\nAugust 15, 1999, deadline. But, according to the Chief Information Officer (CIO), most\nof the plans submitted by the original deadline required additional work. One Bureau, the\nInternational Bureau (IB), completed its BCCP after one revision. The remaining thirteen\nBCCPs needed at least three drafts. This process required the Year 2000 Program\nManager to schedule meetings to review the plans in detail, agree on plan changes, and\nestablish new target dates for completion. The revision process was time consuming and\nrequired a modification of the completion dates for local plans. The new target date for\ncompletion of the final drafts was October 1, 1999, over one month later.\n\nOnly the IB completed its BCCP by the October 1, 1999, milestone. The Managing\nDirector then set new target dates for reviews of the final drafts of the remaining local\nplans. Some reviews were scheduled as late as October 14, 1999. These delays put the\ndevelopment of local BCCP plans two months behind its original August 1, 1999,\nmilestone date, with less than three months left.\n\nAfter plan development, the next step is to test the plans. There are two types of BCCP\ntests: desktop and simulation testing. A desktop test requires the Bureau/Office manager\nresponsible for contingency testing to develop a solution to a Year 2000 outage "on\npaper." The participants in a desktop test do not mimic an actual disaster.\n\nThe other test scenario, simulation testing, requires that the testers declare a mock\ndisaster. For example, the Bureau/Office declares a Year 2000 "emergency" and conducts\nactual business as if the computer applications were not available. Simulation tests\nrequire a high level of planning and coordination. The agency wide BCCP does not\nspecifically state which test scenario will be used. Simulation tests require much more\ncoordination and planning than do desktop tests.\n\nThe Commission must test its BCCPs to determine if they will provide an acceptable\nlevel of service for core Commission business areas. The ITC had established a deadline\nof October 15, 1999 for completion of testing of the Commission\'s BCCP, including the\n\n\n1\n  The FCC Year 2000 BCCP document tasked Bureaus and Offices with developing local BCCPs,\nincluding mission critical systems. This document shifted the emphasis of BCCP development from OMB\nmission critical systems focus to the more encompassing Bureau/Office view.\n\x0cBureau and Office plans for supporting core business areas. With plan reviews scheduled\nfor October 14, 1999, the Commission did not meet this milestone.\n\n                                            FINDING\n\nThe FCC does not have a sufficiently detailed and tested BCCP in place to prepare for an\noutage of one or more mission critical systems (with the exception of Auctions). As of\nOctober 6, 1999, the Commission has not completed thirteen of its fourteen local BCCPs\nfor its Bureaus and Offices. No documented plan has been tested. With less than three\nmonths until January I, 2000, the Commission does not have sufficient time to fully\naddress this problem.\n\nThe agency level BCCP established August 15, 1999, as the original target date for the\ncompletion ofloca1 plans. According to the CIO, most of the plans submitted by that\noriginal deadline required additional work. Therefore, the Year 2000 Program Manager\nhad to schedule meetings to review the plans in detail, agree on plan changes, and\nestablish new target dates for completion. The CIO took these steps to insure that\nBureaus and Offices will have thorough and realistic contingency plans. As of October 6,\n1999, only them had completed its local plan. The Managing Director then set revised\ntarget dates for reviews of the final drafts of the remaining local plans. Some were\nscheduled as late as October 14, 1999. The original testing milestone was October 15,\n1999. Because of these delays, the Commission did not meet this milestone. The BCCP\nprogram is also two months behind its original milestone dates, with less than three\nmonths left until January 1, 2000. Accordingly, should an outage occur to one or more\nmission critical systems due to the Y2K phenomenon or some other adverse event, the\nChairman cannot be provided assurance that the Commission has the capability to\ncontinue business operations in effected mission critical program areas.\n\nOMB Circular A-130, Appendix 111, issued in February 1996, directs each agency to\n"establish and periodically test the capability to perform the agency function supported\nby the application in the event of failure" by developing contingency plans. The General\nAccounting Office (GAO) has recommended that agencies complete Year 2000 BCCPs\nby April 30, 19992 and complete testing by September 30, 1999.3 FCC Commissioner\nMichael Powell, in a November 15, 1998 speech before the Year 2000 Contingency\nPlanning for Government Conference, stated that Year 2000 contingency plans are "one\nof the first things you develop." Further, Mr. Powell stated "the time is now for working\non contingency plans.4 "\n\nManagement attributed the late start of the BCCP program to two factors: delays in\nobtaining funding and competing priorities. The Year 2000 remediation project was not\nadequately funded until December, 1998, according to the Year 2000 Program Manager.\n\n\n2\n  Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid Major\nDisruptions (GAO/T-AIMD-99-50, January 20, 1999), p. 14.\n3\n  Ibid., page 12.\n4\n  Michael K. Powell, \xe2\x80\x9cYear 2000 Problem and the Communications Industry\xe2\x80\x9d (Speech delivered at the\nYear 2000 Contingency Planning Conference, November 16, 1998), p. 4.\n\x0cCompeting priorities, such as the Commission\'s move to the Portals facility, also slowed\nthe Year 2000 project. This consolidation of Commission Personnel and related\nworkstations and servers placed a heavy burden on ITC personnel. The Commission,\ntherefore, had little time available to contend with project delays, such as occurred during\nthe. development of local plans.\n\nThe OIG finding was discussed with the CIO and the Year 2000 Program Manager. The\nYear 2000 Program Manager stated that though the local BCCP project is behind\nschedule, there is still adequate time for the completion of local BCCPs and to permit\ntesting to the extent needed. The FCC\'s methodology has been to require thorough and\nrealistic plans before acceptance rather than to accept initial plans and then to perfect\nthem over time. If the FCC had settled for a lesser quality initial product, the FCC could\nhave met the schedule and, possibly, could have avoided some criticism. However, the\napproach was to require achieving high quality before acceptance.\n\nIn addition, the FCC thinks that the testing of plans is important. However, all Bureaus\nand Offices have within the last six months been required to carry out manual operations\nfor sufficient lengths of time that both management and frontline staff are knowledgeable\nand prepared for the possible loss of partial or full automated support.\n\n                                 RECOMMENDATION\n\nThe Commission should continue to aggressively work to institute and test BCCP\'s for all\nmission critical systems. If timing is insufficient to fully simulation test all systems, only\nthose systems of the highest criticality and risk should be simulation tested. All systems\nshould, at a minimum, be subject to an independent desktop test. A desktop test is not\noptimal, as it does not replicate the conditions related to an actual system outage.\nNonetheless, it provides some measure of familiarity to program operators and users of\ncontingency measures, which may require implementation.\n\x0cAppendix 1 - Mission Critical Systems\n\nAs part of our review of the Commission Y2K program, we requested that the CIO\nprovide a listing of mission-critical information systems. In response to this request, the\nCIO provided the following list.\n\n         Bureau/Office                                   Mission Critical Information System\nCable Services Bureau                       Cable Antenna Licensing & Cable Operator Registration\n                                            Systems (COPS/CARS)\nCompliance and Information                  Integrated Voice Response System (IVR)\nBureau\nInternational Bureau                        International Bureau Filing System (IBFS)\nInternational Bureau                        Co-Channel Serial Licensing System (USA/Canada) (Coser)\nMass Media Bureau                           AM Licensing\nMass Media Bureau                           FM Licensing\nMass Media Bureau                           TV Licensing\nMass Media Bureau                           Multipoint Distribution Systems (MDS)\nMass Media Bureau                           EEO5\nMass Media Bureau                           Children\xe2\x80\x99s TV\nOffice of Engineering and                   Equipment Authorization System\nTechnology\nOffice of Engineering and                   Experimental Licensing System\nTechnology\nCommon Carrier Bureau                       Informal Complaints\nCommon Carrier Bureau                       Tariffs\nCommon Carrier Bureau                       Automated Reporting Management Information System\n                                            (ARMIS)\nOffice of Managing Director                 Collections\nOffice of Public Affairs                    Electronic Comments Filing System (ECFS \xe2\x80\x93 RIPS)\nWireless Telecommunications                 Aviation\nBureau\nWireless Telecommunications                 Marine\nBureau\nWireless Telecommunications                 Restricted & Commercial\nBureau\nWireless Telecommunications                 Amateur\nBureau\nWireless Telecommunications                 Auctions\nBureau\nWireless Telecommunications                 Cellular\nBureau\nWireless Telecommunications                 Paging\nBureau\nWireless Telecommunications                 Personal Communications System\nBureau\n\n5\n    On May 14, 1999 EEO was taken off the list of mission critical systems.\n\x0cWireless Telecommunications   Coast & Ground\nBureau\nWireless Telecommunications   Land Mobile\nBureau\nWireless Telecommunications   Microwave\nBureau\nWireless Telecommunications   Interactive Video Data Service (IVDS)\nBureau\nWireless Telecommunications   Universal Licensing System (ULS)\nBureau\n\x0c'